#263 Don't delegate user key search to ES as key is not indexed

TheHive-Project · Sep 5, 2017 · 008a59a · 008a59a
1 parent 106842f
commit 008a59a
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/thehive-backend/app/controllers/UserCtrl.scala b/thehive-backend/app/controllers/UserCtrl.scala
@@ -46,9 +46,9 @@ class UserCtrl @Inject() (
   @Timed
   def update(id: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     if (id == request.authContext.userId || request.authContext.roles.contains(Roles.admin)) {
-      if (request.body.contains("password"))
-        logger.warn("Change password attribute using update operation is deprecated. Please use dedicated API (setPassword and changePassword)")
-      userSrv.update(id, request.body.unset("password")).map { user ⇒
+      if (request.body.contains("password") || request.body.contains("key"))
+        logger.warn("Change password or key using update operation is deprecated. Please use dedicated API (setPassword, changePassword or renewKey)")
+      userSrv.update(id, request.body.unset("password").unset("key")).map { user ⇒
         renderer.toOutput(OK, user)
       }
     }

diff --git a/thehive-backend/app/models/User.scala b/thehive-backend/app/models/User.scala
@@ -18,8 +18,7 @@ object UserStatus extends Enumeration with HiveEnumeration {
 trait UserAttributes { _: AttributeDef ⇒
   val login = attribute("login", F.stringFmt, "Login of the user", O.form)
   val userId = attribute("_id", F.stringFmt, "User id (login)", O.model)
-  val withKey = optionalAttribute("with-key", F.booleanFmt, "Generate an API key", O.form)
-  val key = optionalAttribute("key", F.stringFmt, "API key", O.model, O.sensitive, O.unaudited)
+  val key = optionalAttribute("key", F.stringFmt, "API key", O.sensitive, O.unaudited)
   val userName = attribute("name", F.stringFmt, "Full name (Firstname Lastname)")
   val roles = multiAttribute("roles", RoleAttributeFormat, "Comma separated role list (READ, WRITE and ADMIN)")
   val status = attribute("status", F.enumFmt(UserStatus), "Status of the user", UserStatus.Ok)

diff --git a/thehive-backend/app/services/LocalAuthSrv.scala b/thehive-backend/app/services/LocalAuthSrv.scala
@@ -43,8 +43,10 @@ class LocalAuthSrv @Inject() (
 
   override def authenticate(key: String)(implicit request: RequestHeader): Future[AuthContext] = {
     import org.elastic4play.services.QueryDSL._
-    userSrv.find(and("status" ~= "Ok", "key" ~= key), Some("0-1"), Nil)
+    // key attribute is sensitive so it is not possible to search on that field
+    userSrv.find("status" ~= "Ok", Some("all"), Nil)
       ._1
+      .filter(_.key().contains(key))
       .runWith(Sink.headOption)
       .flatMap {
         case Some(user) ⇒ userSrv.getFromUser(request, user)